CVE-1999-1005
CVSS5.0
发布时间 :1999-12-19 00:00:00
修订时间 :2016-10-17 22:00:05
NMCOE    

[原文]Groupwise web server GWWEB.EXE allows remote attackers to read arbitrary files with .htm extensions via a .. (dot dot) attack using the HELP parameter.


[CNNVD]Novell GroupWise GWWEB.EXE存在多个漏洞(CNNVD-199912-060)

        
        GWWEB.EXE的HELP功能存在泄漏服务器路径的漏洞,配合字符串'../',将可以列出所有可访问的目录以及浏览服务器上所有.htm文件。
        给GWINTER.NLM的变量指定超长字符串可能会异常终止。
        远程攻击者可以利用这些漏洞浏览服务器上的文件,甚至执行任意代码。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:novell:groupwise:5.2Novell Groupwise 5.2
cpe:/a:netscape:enterprise_server:3.0.7a
cpe:/a:novell:groupwise:5.5Novell Groupwise 5.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1005
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1005
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199912-060
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=94571433731824&w=2
(UNKNOWN)  BUGTRAQ  19991219 Groupewise Web Interface
http://www.securityfocus.com/bid/879
(UNKNOWN)  BID  879

- 漏洞信息

Novell GroupWise GWWEB.EXE存在多个漏洞
中危 未知
1999-12-19 00:00:00 2006-09-05 00:00:00
远程※本地  
        
        GWWEB.EXE的HELP功能存在泄漏服务器路径的漏洞,配合字符串'../',将可以列出所有可访问的目录以及浏览服务器上所有.htm文件。
        给GWINTER.NLM的变量指定超长字符串可能会异常终止。
        远程攻击者可以利用这些漏洞浏览服务器上的文件,甚至执行任意代码。
        

- 公告与补丁

        厂商补丁:
        Novell
        ------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://support.novell.com/security-alerts

- 漏洞信息 (19682)

Netscape Enterprise Server ,Novell Groupwise 5.2/5.5 GWWEB.EXE Multiple Vulnerabilities (EDBID:19682)
novell remote
1999-12-19 Verified
0 Sacha Faust Bourque
N/A [点击下载]
Netscape Enterprise Server for NetWare 4/5 3.0.7 a,Novell Groupwise 5.2/5.5 GWWEB.EXE Multiple Vulnerabilities

source: http://www.securityfocus.com/bid/879/info

The HELP function in GWWEB.EXE will reveal the path of the server, and combined with the '../' string, allow read access for any client to any .htm file on the server, as well as browseable directory listings.

Also, it is possible to abend GWINTER.NLM by specifying a long string where the server expects a variable setting. 

Requesting the following URL from the GroupWise server
http ://victimhost/cgi-bin/GW5/GWWEB.EXE?HELP=asdf
will return the error message:
Could not read file SYS:WEB\CGI-BIN\GW5\US\HTML3\HELP\ASDF.HTM
revealing the full path of the GroupWise server software.
Note: The URL above may need to be tailored to the target system.

To read .htm files anywhere on the server, or to browse directories, use HELP and the ../ string to traverse directories, for example:
http ://victimhost/cgi-bin/GW5/GWWEB.EXE?HELP=../../../secret.htm
or
http ://victimhost/cgi-bin/GW5/GWWEB.EXE?HELP=../../../
Again, the paths shown above may need to be modified.

To abend GWINTER.NLM request a URL like:
http ://victimhost/cgi-bin/GW5/GWWEB.EXE?[512+ chars]
It may be possible to remotely execute arbitrary code via this buffer overflow.

		

- 漏洞信息

3413
Novell GroupWise GWWEB.EXE HELP Parameter Traversal Arbitrary File Access
Remote / Network Access Input Manipulation
Loss of Confidentiality
Exploit Public

- 漏洞描述

Novell Groupwise contains a vulnerability that allows a remote attacker to read arbitrary files in the web path. The issue is due to a lack of sanity checking for input passed to the HELP variable in the GWWEB.EXE program. By providing a .htm or .html file name and ../../ traversal attack, anyone can view any document within the web server path.

- 时间线

1999-12-19 Unknow
1999-12-19 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站